Source code

001/*******************************************************************************
002 * Copyright 2017 The MIT Internet Trust Consortium
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *   http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *******************************************************************************/
016
017package org.mitre.uma.service.impl;
018
019import java.util.Date;
020import java.util.HashSet;
021import java.util.Set;
022import java.util.UUID;
023
024import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
025import org.mitre.oauth2.model.AuthenticationHolderEntity;
026import org.mitre.oauth2.model.ClientDetailsEntity;
027import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
028import org.mitre.oauth2.repository.AuthenticationHolderRepository;
029import org.mitre.oauth2.service.ClientDetailsEntityService;
030import org.mitre.oauth2.service.OAuth2TokenEntityService;
031import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
032import org.mitre.uma.model.Permission;
033import org.mitre.uma.model.PermissionTicket;
034import org.mitre.uma.model.Policy;
035import org.mitre.uma.service.UmaTokenService;
036import org.springframework.beans.factory.annotation.Autowired;
037import org.springframework.security.oauth2.provider.OAuth2Authentication;
038import org.springframework.stereotype.Service;
039
040import com.google.common.collect.Lists;
041import com.google.common.collect.Sets;
042import com.nimbusds.jose.JWSAlgorithm;
043import com.nimbusds.jose.JWSHeader;
044import com.nimbusds.jwt.JWTClaimsSet;
045import com.nimbusds.jwt.SignedJWT;
046
047/**
048 * @author jricher
049 *
050 */
051@Service("defaultUmaTokenService")
052public class DefaultUmaTokenService implements UmaTokenService {
053
054        @Autowired
055        private AuthenticationHolderRepository authenticationHolderRepository;
056
057        @Autowired
058        private OAuth2TokenEntityService tokenService;
059
060        @Autowired
061        private ClientDetailsEntityService clientService;
062
063        @Autowired
064        private ConfigurationPropertiesBean config;
065
066        @Autowired
067        private JWTSigningAndValidationService jwtService;
068
069
070        @Override
071        public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket, Policy policy) {
072                OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();
073                AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity();
074                authHolder.setAuthentication(o2auth);
075                authHolder = authenticationHolderRepository.save(authHolder);
076
077                token.setAuthenticationHolder(authHolder);
078
079                ClientDetailsEntity client = clientService.loadClientByClientId(o2auth.getOAuth2Request().getClientId());
080                token.setClient(client);
081
082                Set<String> ticketScopes = ticket.getPermission().getScopes();
083                Set<String> policyScopes = policy.getScopes();
084
085                Permission perm = new Permission();
086                perm.setResourceSet(ticket.getPermission().getResourceSet());
087                perm.setScopes(new HashSet<>(Sets.intersection(ticketScopes, policyScopes)));
088
089                token.setPermissions(Sets.newHashSet(perm));
090
091                JWTClaimsSet.Builder claims = new JWTClaimsSet.Builder();
092
093                claims.audience(Lists.newArrayList(ticket.getPermission().getResourceSet().getId().toString()));
094                claims.issuer(config.getIssuer());
095                claims.jwtID(UUID.randomUUID().toString());
096
097                if (config.getRqpTokenLifeTime() != null) {
098                        Date exp = new Date(System.currentTimeMillis() + config.getRqpTokenLifeTime() * 1000L);
099
100                        claims.expirationTime(exp);
101                        token.setExpiration(exp);
102                }
103
104
105                JWSAlgorithm signingAlgorithm = jwtService.getDefaultSigningAlgorithm();
106                JWSHeader header = new JWSHeader(signingAlgorithm, null, null, null, null, null, null, null, null, null,
107                                jwtService.getDefaultSignerKeyId(),
108                                null, null);
109                SignedJWT signed = new SignedJWT(header, claims.build());
110
111                jwtService.signJwt(signed);
112
113                token.setJwt(signed);
114
115                tokenService.saveAccessToken(token);
116
117                return token;
118        }
119
120}